Fair cryptosystems and methods of use

ABSTRACT

A method, using a public-key cryptosystem, for enabling a predetermined entity to monitor communications of users .[.suspected of unlawful activities while protecting the privacy of law-abiding users.]., wherein each user is assigned a pair of matching secret and public keys. According to the method, each user&#39;s secret key is broken into shares. Then, each user provides a plurality of &#34;trustees&#34; pieces of information. The pieces of information provided to each trustee enable that trustee to verify that such information includes a &#34;share&#34; of a secret key of some given public key. Each trustee can verify that the pieces of information provided include a share of the secret key without interaction with any other trustee or by sending messages to the user. Upon a predetermined request or condition, e.g., a court order authorizing the entity to monitor the communications of a user .[.suspected of unlawful activity.]., the trustees reveal to the entity the shares of the secret key of such user. This enables the entity to reconstruct the secret key and monitor the .[.suspect.]. user&#39;s communications.

This application is a continuation-in-part of prior copendingapplication Ser. No. 07/870,935, filed Apr. 20, 1992now U.S. Pat. No.5,276,737.

TECHNICAL FIELD

The present invention relates generally to cryptosystems and moreparticularly to methods for enabling a given entity to monitorcommunications of users suspected of unlawful activities whileprotecting the privacy of law-abiding users.

BACKGROUND OF THE INVENTION

In a single-key cryptosystem a common secret key is used both to encryptand decrypt messages. Thus only two parties who have safely exchangedsuch a key beforehand can use these systems for private communication.This severely limits the applicability of single-key systems.

In a double-key cryptosystem, the process of encrypting and decryptingis instead governed by different keys. In essence, one comes up with apair of matching encryption and decryption keys. What is encrypted usinga given encryption key can only be decrypted using the correspondingdecryption key. Moreover, the encryption key does not "betray" itsmatching decryption key. That is, knowledge of the encryption key doesnot help to find out the value of the decryption key. The advantage ofdouble-key systems is that they can allow two parties who have neversafely exchanged any key to privately communicate over an insecurecommunication line (i.e., one that may be tapped by an adversary). Theydo this by executing an on-line, private communication protocol.

In particular, Party A alerts Party B that he wants to talk to himprivately. Party B then computes a pair of matching encryption anddecryption keys (E_(B), D_(B)). B then sends A key E_(B). Party A nowencrypts his message m, obtaining the ciphertext c=E_(B) (m), and sendsc to B over the insecure channel. B decrypts the ciphertext by computingm=D_(B) (c). If an adversary eavesdrops all communication between A andB, will then hear both

B's encryption key, E_(B), and A's ciphertext, c. However, since theadversary does not know B's decryption key, D_(B), he cannot compute mfrom c.

The utility of the above protocol is still quite limited since itsuffers from two drawbacks. First, for A to send a private message to Bit is necessary also that B send a message to A, at least the firsttime. In some situations this is a real disadvantage. Moreover, A has noguarantee (since the line is insecure anyway) that the received stringD_(B) really is B's encryption key. Indeed, it may be a key sent by anadversary, who will then understand the subsequent, encryptedtransmission.

An ordinary public-key cryptosystem ("PKC") solves both difficulties andgreatly facilitates communication. Such a system essentially consists ofusing a double-key system in conjunction with a proper key managementcenter. Each user X comes up with a pair of matching encryption andecryption keys (E_(X), D_(X)) of a double-key system. He keeps D_(X)for himself and gives E_(X) to the key management center. The center isresponsible for updating and publicizing a directory of correct publickeys for each user, that is, a correct list of entries of the type (X,E_(X)). For instance, upon receiving the request from X to have E_(X) ashis public key, the center properly checks X's identity, and (digitally)signs the pair (X, E_(X)), together with the current date if everyencryption key has a limited validity. The center publicizes E_(X) bydistributing the signed information to all users in the system. Thisway, without any interaction, users can send each other private messagesvia their public, encryption key that they can look up in the directorypublished by the center. The identity problem is also solved, since thecenter's signature of the pair (X, E_(X)) guarantees that the pair hasbeen distributed by the center, which has already checked X's identity.

The convenience of a PKC depends on the key management center. Becausesetting up such a center on a grand scale requires a great deal ofeffort, the precise protocols to be followed must be properly chosen.Moreover, public-key cryptography has certain disadvantages. A maindisadvantage is that any such system can be abused, for example, byterrorists and criminal organizations who can use their own PKC (withoutknowledge of the authorities) and thus conduct their illegal businesswith great secrecy and yet with extreme convenience.

It would therefore be desirable to prevent any abuse of a public keycryptosystem while maintaining all of its lawful advantages.

BRIEF SUMMARY OF THE INVENTION

It is an object of the present invention to provide methods for enablinga given entity, such as the government, to monitor communications ofusers suspected of unlawful activities while at the same time protectingthe privacy of law-abiding users.

It is a further object of the invention to provide such methods usingeither public or private key cryptosystems.

It is a still further object of the invention to provide so-called"fair" cryptosystems wherein an entity can monitor communications ofsuspect users only upon predetermined occurrences, e.g., the obtainingof a court order.

It is another object to describe methods of constructing faircryptosystems for use in such communications techniques.

In one embodiment, these and other objects of the invention are providedin a method, using a public-key cryptosystem, for enabling apredetermined entity to monitor communications of users suspected ofunlawful activities while protecting the privacy of law-abiding users,wherein each user is assigned a pair of matching secret and public keys.According to the method, each user's secret key is broken into shares.Then, each user provides a plurality of "trustees" pieces ofinformation. The pieces of information provided to each trustee enablethat trustee to verify that such information includes a "share" of asecret key of some given public key. Further, each trustee can verifythat the pieces of information provided include a share of the secretkey without interaction with any other trustee or by sending messages tothe user. Upon a predetermined request or condition, e.g., a court orderauthorizing the entity to monitor the communications of a user suspectedof unlawful activity, the trustees reveal to the entity the shares ofthe secret key of such user to enable the entity to reconstruct thesecret key and monitor the suspect user's communications.

The method can be carried out whether or not the identity of the suspectuser is known to the trustees, and even if less than all of the sharesof the suspect user's secret key are required to be revealed in order toreconstruct the secret key. The method is robust enough to be effectiveif a given minority of trustees have been compromised and cannot betrusted to cooperate with the entity. In addition, the suspect user'sactivities are characterized as unlawful if the entity, afterreconstructing or having tried to reconstruct the secret key, is stillunable to monitor the suspect user's communications.

According to another more generalized aspect of the invention, a methodis described for using a public-key cryptosystem for enabling apredetermined entity to monitor communications of users suspected ofunlawful activities while protecting the privacy of law-abiding users.The method comprises the step of "verifiably secret sharing" each user'ssecret key with a plurality of trustees so that each trustee can verifythat the share received is part of a secret key of some public key.

The foregoing has outlined some of the more pertinent objects of thepresent invention. These objects should be construed to be merelyillustrative of some of the more prominent features and applications ofthe invention. Many other beneficial results can be attained by applyingthe disclosed invention in a different manner or modifying the inventionas will be described. Accordingly, other objects and a fullerunderstanding of the invention may be had by referring to the followingDetailed Description of the preferred embodiment.

BRIEF DESCRIPTION OF THE DRAWINGS

For a more complete understanding of the present invention and theadvantages thereof, reference should be made to the following DetailedDescription taken in connection with the accompanying drawings in which:

FIG. 1 is a simplified diagram of a communications system over which agovernment entity desires to monitor communications of users suspectedof unlawful activities;

FIG. 2 is a block diagram of a preferred hierarchy of entities that mayuse the methods of the present invention to monitor communications ofusers suspected of unlawful activities.

DETAILED DESCRIPTION

FIG. 1 represents a simple communications system 10 comprising atelephone network connected between a calling station 12 and a calledstation 14. One or more local central offices or telephone switches 16connect telephone signals over the network in a well-known fashion.Referring now also to FIG. 2, assume that a government entity, such aslocal law enforcement agency 18, desires to monitor communications toand/or from calling station 12 because the user of such calling stationis suspected of unlawful activity. Assume further that the user of thecalling station 12 communicates using a PKC. Following accepted legalpractices, the agency 18 obtains a court order from court 20 toprivately monitor the line 15. According to the present invention, theagency's is able to monitor the line 15 while at the same time theprivacy rights of other law-abiding users of the network are maintained.This is accomplished as will be described by requiring that each user"secret share" the user's secret key (of the PKC) with a plurality oftrustees 22a . . . 22n.

According to the invention, a "fair" PKC is a special type of public-keycryptosystem. Every user can still choose his own keys and keep secrethis private one; nonetheless, a special agreed-upon party (e.g., thegovernment), and solely this party, under the proper circumstancesenvisaged by the law (e.g., a court order), and solely under thesecircumstances, is authorized to monitor all messages sent to a specificuser. A fair PKC improves the security of the existing communicationsystems (e.g., the telephone service 10) while remaining within theconstraints of accepted legal procedures.

In one embodiment, fair PKC's are constructed in the following generalway. Referring now to FIGS. 1-2, it is assumed that there are five (5)trustees 22a . . . 22e and that the government desires, upon receiving acourt order, to monitor the telephone communications to or from thecalling station 12. Although the above-description is specific, itshould be appreciated that users of the communications system andtrustees may be people or computing devices. It is preferable that thetrustees are chosen to be trustworthy. For instance, they may be judges(or computers controlled by them), or computers specially set up forthis purpose. The trustees, together with the individual users, play acrucial role in deciding which encryption keys will be published in thesystem.

Each user independently chooses his own public and secret keys accordingto a given double-key system (for instance, the public key consists ofthe product of two primes, and the secret key one of these two primes).Since the user has chosen both of his keys, he can be sure of their"quality" and of the privacy of his decryption key. He then breaks hissecret decryption key into five special "pieces" (i.e., he computes fromhis decryption key 5 special strings/numbers) possessing the followingproperties:

(1) The private key can be reconstructed given knowledge of all five,special pieces;

(2) The private key cannot be guessed at all if one only knows (any) 4,or less, of the special pieces;

(3) For i-1, . . . 5, the i-th special piece can be individuallyverified to be correct.

Given all 5 special pieces or "shares", one can verify that they arecorrect by checking that they indeed yield the private decryption key.According to one feature of the invention, property (3) insures thateach special piece can be verified to be correct (i.e., that togetherwith the other 4 special pieces it yields the private key) individually,i.e., without knowing the secret key at all and without knowing thevalue of any of the other special pieces.

The user then privately (e.g., in encrypted form) gives trustee 22i hisown public key and the i-th piece of its associated secret key. Eachtrustee 22 individually inspects his received piece, and, if it iscorrect, approves the public key (e.g. signs it) and safely stores thepiece relative to it. These approvals are given to a key managementcenter 24, either directly by the trustees, or (possibly in a singlemessage) by the individual user who collects them from the trustees. Thecenter 24, which may or may not coincide with the government, itselfapproves (e.g., signs) any public key that is approved by all trustees.These center-approved keys are the public keys of the fair PKC and theyare distributed and used for private communication as in an ordinaryPKC.

Because the special pieces of each decryption key are privately given tothe trustees, an adversary who taps the communication line of two userspossesses the same information as in the underlying, ordinary PKC. Thusif the underlying PKC is secure, so is the fair PKC. Moreover, even ifthe adversary were one of the trustees himself, or even a cooperatingcollection of any four out of five of the trustees, property (2) insuresthat the adversary would still have the same information as in theordinary PKC. Because the possibility that an adversary corrupts fiveout of five judges is absolutely remote, the security of the resultingfair PKC is the same as in the underlying PKC.

When presented with a court order, for example, the trustees 22 revealto the government 20 the pieces of a given decryption key in theirpossession. According to the invention, the trustees may or may not beaware of the identity of the user who possesses the given decryptionkey. This provides additional security against "compromised" trusteeswho might otherwise tip off the suspect user once a request for thatuser's decryption key share is received by the trustee.

Upon receiving the shares, the government reconstructs the givendecryption key. By property (3), each trustee previously verifiedwhether he was given a correct special piece of a given decryption key.Moreover, every public key was authorized by the key management center24 only if it was approved by all trustees 22. Thus, the government isguaranteed that, in case of a court order, it will be given all specialpieces of any decryption key. By property (1), this is a guarantee thatthe government will be able to reconstruct any given decryption key ifnecessary to monitor communications over the network.

Several types of fair PKC's are now described in more detail.

Diffie and Hellman's PKC

The Diffie and Hellman public-key cryptosystem is known and is readilytransformed into a fair PKC by the present invention. In the Diffie andHellman scheme, each pair of users X and Y succeeds, without anyinteraction, in agreeing upon a common, secret key S_(xy) to be used asa conventional single-key cryptosystem. In the ordinary Diffie-HellmanPKC, there are a prime p and a generator (or high-order element) gcommon to all users. User X secretly selects a random integer Sx in theinterval [1, p-1] as his private key and publicly announces the integerPx=g^(Sx) mod p as his public key. Another user, Y, will similarlyselect Sy as his private key and announce Py=g^(Sy) mod p as his publickey. The value of this key is determined as S_(xy) =g^(SxSy) mod p. UserX computes Sxy by raising Y's public key to his private key mod pX, anduser Y by raising X's public key to his secret key mod p. In fact:

    (g.sup.Sx).sup.Sy =g.sup.SxSy =Sxy=g.sup.SySx =(g.sup.Sy).sup.Sx mod p.

While it is easy, given g, p and x, to compute y=g^(x) mod p, noefficient algorithm is known for computing, given y and p, x such thatg^(x) =y mod p when g has high enough order. This is the discretelogarithm problem. This problem has been used as the basis of securityin many cryptosystems. The Diffie and Hellman's PKC is transformed intoa fair one in the following manner.

Each user X randomly chooses 5 integers Sx1, . . . Sx5 in the interval[1, p-1] and lets Sx be their sum mod p. It should be understood thatall following operations are modulo p. User X then computes the numbers:

    t1=g.sup.Sx1, . . . , t5=g.sup.Sx5 and Px=g.sup.Sx.

Px will be User X's public key and Sx his private key. The ti's will bereferred to as the public pieces of Px, and the Sxi's as the privatepieces. It should be noted that the product of the public pieces equalsthe public key Px. In fact:

    t1 . . . t5=g.sup.Sx1 . . . g.sup.Sx5 =g(Sx1+. . .+Sx5)=g.sup.Sx.

Let T1, . . . T5 be the five trustees. User X now gives Px, the publicpieces and Sx1 to trustee T1, Px, the public pieces and Sx2 to trusteeT2, and so on. Piece Sxi is privately given to trustee Ti. Uponreceiving public and private pieces ti and Sxi, trustee Ti verifieswhether g^(Sxi) =Ti. If so, the trustee stores the pair (Px, Sxi), signsthe sequence (Px,t1,t2,t3,t4,t5) and gives the signed sequence to thekey management center 24 (or to user X, who will then give all of thesigned public pieces at once to the key management center). Uponreceiving all the signed sequences relative to a given public key Px,the key management center verifies that these sequences contain the samesubsequence of public pieces t1 . . . t5 and that the product of thepublic pieces indeed equals Px. If so, center 24 approves Px as a publickey and distributes it as in the original scheme (e.g., signs it andgives it to user X). The encryption and decryption instructions for anypair of users X and Y are exactly as in the Diffie and Hellman scheme(i.e., with common, secret key Sxy).

This way of proceeding matches the previously-described way ofconstructing a fair PKC. A still fair version of the Diffie-Hellmanscheme can be obtained in a simpler manner by having the user give toeach trustee Ti just the public piece ti and its corresponding privatepiece Sxi, and have the user give the key management center the publickey Px. The center will approve Px only if it receives all publicpieces, signed by the proper trustee, and the product of these publicpieces equals Px. In this way, trustee Ti can verify that Sxi is thediscrete logarithm of public piece ti. Such trustee cannot quite verifythat Sxi is a legitimate share of Px since the trustee has not seen Pxor the other public pieces. Nonetheless, the result is a fair PKC basedon the Diffie-Hellman scheme because properties (1)-(3) described aboveare still satisfied.

Either one of the above-described fair PKC has the same degree ofprivacy of communication offered by the underlying Diffie-Hellmanscheme. In fact, the validation of a public key does not compromise thecorresponding private key. Each trustee Ti receives, as a special piece,the discrete logarithm, Sxi, of a random number, ti. This information isclearly irrelevant fr computing the discrete logarithm of Px. The sameis actually true for any 4 of the trustees taken together, since anyfour special pieces are independent of the private decryption key Sx.Also the key management center does not possess any information relevantto the private key; i.e., the discrete logarithm of Px. All the centerhas are the public pieces respectively signed by the trustees. Thepublic pieces simply are 5 random numbers whose product is Px. This typeof information is irrelevant for computing the discrete logarithm of Px;in fact, any one could choose four integers at random and setting thefifth to be Px divided by the product of the first four. The resultwould be integral because division is modulo p. As for a trustee'ssignature, this just represents the promise that someone else has asecret piece.

Even the information in the hands of the center together with any fourof the trustees is irrelevant for computing the private key Sx. Thus,not only is the user guaranteed that the validation procedure will notbetray his private key, but he also knows that this procedure has beenproperly followed because it is he himself that computes his own keysand the pieces of his private one.

Second, if the key management center validates the public key Px, thenits private key is guaranteed to be reconstructable by the government incase of a court order. In fact, the center receives all 5 public piecesof Px, each signed by the proper trustee. These signatures testify thattrustee Ti possesses the discrete logarithm of public piece ti. Sincethe center verifies that the product of the public pieces equals Px, italso knows that the sum of the secret pieces in storage with thetrustees equals the discrete logarithm of Px; i.e, user X's private key.Thus the center knows that, if a court order were issued requesting theprivate key of X, the government is guaranteed to obtain the neededprivate key by summing the values received by the trustees.

RSA Fair PKC

The following describes a fair PKC based on the known RSA function. Inthe ordinary RSA PKC, the public key consists of an integer N product oftwo primes and one exponent e (relatively prime with f(N), where F isEuler's quotient function). No matter what the exponent, the private keymay always be chosen to be N's factorization. By way of briefbackground, the RSA scheme has certain characteristics that derive fromaspects of number theory:

Fact 1. Let Z_(N) * denote the multiplicative group of the integersbetween 1 and N and relatively prime with N. If N is the product of twoprimes N=pq (or two prime powers: N=p^(a) p^(b)), then

(1) a number s in Z_(N) * is a square mod N if and only if it has fourdistinct square-roots mod N: x, -x mod N, y, and -y mod N (i.e., x² =y²=s mod N). Moreover, from the greatest common divisor of +-x+-y and N,one easily computes the factorization of N. Also;

(2) one in four of the numbers in Z_(N) * is a square mod N.

Fact 2. Among the integers in Z_(N) * is defined a function, the Jacobisymbol, that evaluates easily to either 1 or -1. The Jacobi symbol of xis denoted by (s/N). The Jacobi symbol is multiplicative; i.e.,(x/N)(Y/N)=(xy/N). If N is the product of two primes N=pq (or two primepowers: N=p^(a) b^(b)), the p and l are congruent to 3 mod 4. Then, if+-x and +-y are the four square roots of a square mod N (s/N)=(-x/N)=+1and (y/N)=(-y/N)=-1. Thus, because of Fact 1, if one is given a Jacobisymbol 1 root and a Jacobi symbol -1 root of any square, he can easilyfactor N.

With this background, the following describes how the RSA cryptosystemcan be made fair in a simple way. For simplicity again assume there arefive trustees and that all of them must collaborate to reconstruct asecret key, while no four of them can even predict it. The RSAcryptosystem is easily converted into a fair PKC by efficiently sharingwith the trustee's N's factorization. In particular, the trustees areprivately provided information that, perhaps together with other givencommon information, enables one to reconstruct two (or more) squareroots x and y (x different from ±y mod N) of a common square mod N. Thegiven common information may be the -1 Jacobi symbol root of X², whichis equal to y.

A user chooses P and Q primes congruent to 3 mod 4, as his private keyand N=PQ as his public key. Then he chooses 5 Jacobi 1 integers X₁, X₂,X₃, X₄ and X₅ (preferably at random) in Z_(N) * and computes theirproduct, X, and X_(i) ² mod N for all i=1, . . . , 5. The product of thelast 5 squares, Z, is itself a square. One square root of Z mod N is X,which has Jacobi symbol equal to 1 (since the Jacobi symbol ismultiplicative). The user computes Y, one of the Jacobi -1 roots and N.X₁, . . . X₅ will be the public pieces of public key N and the X_(i) 'sthe private pieces. The user gives trustee Ti private piece X_(i) (andpossibly the corresponding public piece, all other public pieces and Px,depending on whether it is desired that the verification of the sharesso as to satisfy properties (1)-(3) is performed by both trustees andthe center, or the trustees alone). Trustee Ti squares Xi mod N, givesthe key management center his signature of X_(i) ², and stores X_(i).

The center first checks that (-1/N)=1, i.e., for all x: (x/N)=(-x/N).This is partial evidence that N is of the right form. Upon receiving thevalid signature of the public pieces of N and the Jacobi -1 value Y fromthe user, the center checks whether mod N the square of Y equals theproduct of the five public pieces. If so, it checks, possibly with thehelp of the user, that N is the product of two prime powers. If so, thecenter approves N.

The reasoning behind the scheme is as follows. The trustees' signaturesof the X_(i) ² 's (mod N) guarantee the center that every trustee Ti hasstored a Jacobi symbol 1 root of X_(i) ² mod N. Thus, in case of a courtorder, all these Jacobi symbol 1 roots can be retrieved. Their product,mod N, will also have Jacobi symbol 1, since this function ismultiplicative, and will be a root of X² mod N. But since the center hasverified that Y² =X² mod N, one would have two roots X and Y of a commonsquare mod N. Moreover, Y is different from X since it has differentJacobi symbol, and Y is also different from -x, since (-x/N)=(s/N)because (a) (-1/N) has been checked to be 1 and (b) the Jacobi symbol ismultiplicative. Possession of such square roots, by Facts 1 and 2, isequivalent to having the factorization of N, provided that N is productof at most two prime powers. This last property has also been checked bythe center before it has approved N.

Verification that N is the product of at most two prime powers can beperformed in various ways. For instance, the center and user can engagein a zero-knowledge proof of this fact. Alternatively, the user mayprovide the center with the square root mod N for roughly 1/4 of theintegers in a prescribed and random enough sequence of integers. Forinstance, such a sequence could be determined by one-way hashing N to ashort seed and then expanding it into a longer sequence using apsuedo-random generator. If a dishonest user has chosen his N to be theproduct of three or more prime powers, then it would be foolish for himto hope that roughly 1/4 of the integers in the sequence are squares modN. In fact, for his choice of N, at most 1/8 of the integers have squareroots mod N.

Variations

The above schemes can be modified in many ways. For instance, the proofthat N is product of two prime powers can be done by the trustees (incollaboration with the user), who then inform the center of theirfindings. Also, the scheme can be modified so that the cooperation ofthe majority of the trustees is sufficient for reconstructing the secretkey, while any minority cannot gain any information about the secretkey. Also, as with all fair cryptosystems, one can arrange that when thegovernment asks a trustee for his piece of the secret key of a user, thetrustee does not learn about the identity of the user. The variationsare discussed in more detail below.

In particular, the schemes described above are robust in the sense thatsome trustees, accidentally or maliciously, may reveal the shares intheir possession without compromising the security of the system.However, these schemes rely on the fact that the trustees willcollaborate during the reconstruction stage. In fact, it was insistedthat all of the shares should be needed for recovering a secret key.This requirement may be disadvantageous, either because some trusteesmay reveal to be untrustworthy and refuse to give the government the keyin their possession, or because, despite all file backups, the trusteemay have genuinely lost the information in its possession. Whatever thereason, in this circumstance the reconstruction of a secret key will beprevented. This problem is also solved by the present invention.

By way of background, "secret sharing" (with parameters n, T, t) is aprior cryptographic scheme consisting of two phases: in phase one asecret value chosen by a distinguished person, the dealer, is put insafe storage with n people or computers, the trustees, by giving eachone of them a piece of information. In phase two, when the trustees pooltogether the information in their possession, the secret is recovered.Secret sharing has a major disadvantage--it presupposes that the dealergives the trustees correct shares (pieces of information) about hissecret value. "Verifiable Secret Sharing" (VSS) solves this "honesty"problem. In a VSS scheme, each trustee can verify that the share givento him is genuine without knowing at all the shares of other trustees ofthe secret itself. Specifically, the trustee can verify that, if Tverified shares are revealed, the original secret will be reconstructed,no matter what the dealer or dishonest trustees might do.

The above-described fair PKC schemes are based on a properly structured,non-interactive verifiable secret sharing scheme with parameters n=5,T=5 and t=4. According to the present invention, it may be desirable tohave different values of these parameters, e.g., n=5, T=3 and t=2. Insuch case, any majority of the trustees can recover a secret key, whileno minority of trustees can predict it all. This is achieved as follows(and be simply generalized to any desired values of n, T and t in whichT>t).

Subset Method for the Diffie-Hellman Scheme

After choosing a secret key Sx in [1, p-1], user X computes his publickey Px=g^(Sx) mod p (with all computations below being mod p). User Xnow considers all triplets of numbers between 1 and 5: (1,2,3), (2,3,4)etc. For each triplet (a,b,c), user X randomly chooses three integersS1abc, . . . , S3abc in the interval [1, p-1] so that their sum mod pequals Sx. Then he computes the numbers:

    t1abc=g.sup.S1abc, t2abc=g.sup.S2abc, t3abc=g.sup.S3abc

The tiabc's will be referred to as public pieces of Px, and the Siabc'sas private pieces. Again, the product of the public pieces equals thepublic key Px. In fact,

t1abc··t2abc··t3abc=g^(S1abc) ·g^(S2abc).gS3abc ==g(^(S1abc) +. ..+^(S3abc))=g^(Sx) =Px

User X then gives trustee Ta t1abc and S1abc, trustee Tb t2abc andS2abc, and trustee Tc t3abc and S3abc, always specifying the triplet inquestion. Upon receiving these quantities, trustee Ta (all othertrustees do something similar) verifies that t1abc=g^(S1abc), signs thevalue (Px, t1abc, (a,b,c)) and gives the signature to the managementcenter.

The key management center, for each triple (a,b,c), retrieves the valuest1abc, t2abc and t3abc from the signed information received fromtrustees, Ta, Tb and Tc. If the product of these three values equals Pxand the signatures are valid, the center approves Px as a public key.

The reason the scheme works, assuming that at most 2 trustees areuntrustworthy, is that all secret pieces of a triple are needed forcomputing (or predicting) a secret key. Thus no secret key in the systemcan be retrieved by any 2 trustees. On the other hand, after a courtorder at least three trustees reveal all the secret pieces in theirpossession about a given public key. The government then has all thenecessary secret pieces for at least one triple, and thus can computeeasily the desired secret key.

Alternatively, each trustee is replaced by a group of new trustees. Forinstance, instead of a single trustee Ta, there may be three trustees:Ta1, Ta2 and Ta3. Each of these trustees will receive and check the sameshare of trustee Ta. In this way it is very unlikely that all threetrustees will refuse to surrender their copy of the first share.

After having insured that a few potentially malicious trustees cannotprevent reconstruction of the key, there are still further securityissues to address, namely, a trustee--requested by a court order tosurrender his share of a given secret key--may alert the owner of thatkey that his communications are about to be monitored. This problem isalso solved by the invention. A simple solution arises if thecryptosystem used by the trustees possess certain algebraic properties.This is illustrated for the Diffie-Hellman case, though the same resultoccurs for the RSA scheme. In the following discussion, for simplicityit is assumed that all trustees collaborate in the reconstruction of thesecret key.

Oblivious and Fair Diffie-Hellman Scheme

Assume that all trustees use deterministic RSA for receiving privatemessages. Thus, let Ni be the public RSA modulus of trustee Ti and eihis encryption exponent (i.e., to send Ti a message m in encrypted form,one would send m^(ei) mod Ni).

User U prepares his public and secret key, respectively Px and Sx (thusPx=g^(Sx) mod p), as well as his public and secret pieces of the secretkey, respectively ti and Sxi's (thus Px=t1, t2 . . . t5 mod p andti=g^(Sxi) mod p for all i). Then, the user gives to the key managementcenter Px, all of the ti's and the n values Ui=(Sxi)³ mod Ni; i.e., heencrypts the i-th share with the public key of trustee Ti. Since thecenter does not know the factorization of the Ni's, this is not usefulinformation to predict Sx, nor can the center verify that the decryptionof the n ciphertexts are proper shares of Sx. For this, the center willseek the cooperation of the n trustees, but without informing them ofthe identity of the user as will be described.

The center stores the values tj's and Uj's relative to user U and thenforwards Ui and ti to trustee Ti. If every trustee Ti verified that thedecryption of Ui is a proper private piece relative to ti, the centerapproves Px.

Assume now that the judicial authority decides to monitor user U'scommunications. To lawfully reconstruct secret key Sx without leaking toa trustee the identity of the suspected user U, a judge (or anotherauthorized representative) randomly selects a number Ri mod Ni andcomputes yi=Ri ^(ei) mod Ni. Then, he sends trustee Ti the valuezi=Ui-yi mod Ni, asking with a court order to compute and send back wi,the ei-th root of zi mod Ni. Since zi is a random number mod Ni, nomatter what the value of Ui is, trustee Ti cannot guess the identity ofthe user U in question. Moreover, since zi is the product of Ui and yimod Ni, the ei-th root of zi is the product mod Ni of the ei-th root ofUi (i.e., Sxi) and the ei-th root of yi (i.e., Ri). Thus, upon receivingwi, the judge divides it by yi mod Ni, thereby computing the desiredSxi. The product of these Sxi's equals the desired Sx.

Further Variations

In other variations of the invention, in case of a court order, thegovernment is only authorized to understand the messages concerning agiven user for a limited amount of time. The collective approval of alltrustees may stand for the government approval. Also, trustees need notstore their piece of the private key. The encryption of this piece--inthe trustee's public key and signed by the trustee--can be made part ofthe user's public key. In this way, the public key carries the proof ofits own authenticity and verification. In the latter case it may beadvantageous to break the trustee's private keys into pieces.

If the user is an electronic device, such as an integrated circuit chip,the basic process of key selection and public-key validation can be donebefore the device leaves the factory. In this case, it may beadvantageous that a "copy" of the trustee can be maintained within thefactory. A copy of a trustee is a physically secure chip--one whose datacannot be read--containing a copy of the trustee's decryption key. Thetrustee (i.e., the party capable of giving the piece of a private keyunder a court order) need not necessarily coincide with this device.

In another variation, it may be arranged that the trustees each a havepiece of the government private key, and that each user's private key isencrypted with the public key of the government.

While the user of a fair PKC in a telecommunications network (and underthe authority of the government) has been described, such description isnot meant to be taken by way of limitation. A fair PKC can be used inprivate organizations as well. For example, in a large organizationwhere there is a need for privacy, assume there is an established"superior" but not all employees can be trusted since there are too manyof them. The need for privacy requires the use of encryption. Becausenot all employees can be trusted, using a single encryption key for thewhole company is unacceptable, as is using a number of single-keycryptosystems (since this would generate enormous key-distributionproblems). Having each employee use his own double-key system is alsodangerous, since he or she might conspire against the company with greatsecrecy, impunity and convenience.

In such application of a fair PKC, numerous advantages are obtained.First, each employee is in charge of choosing his own keys. Whileenjoying the advantages of a more distributed procedure, theorganization retains absolute control because the superior is guaranteedto be able to decrypt every employee's communications when necessary.There is no need to change keys when the superior changes because thetrustees need not be changed. The trustees' storage places need lesssurveillance, since only compromising all of them will give an adversaryany advantage.

For making fair a private key cryptosystem, but also for a PKC, it isdesirable that each trustee first deposits an encrypted version orotherwise committed version of his share, so that, when he is asked toreveal what his share was, he cannot change his mind about its value.Also, it is desirable that the user gives his shares to the trusteessigned; such signatures can be relative to a different public key (ifthey are digital signatures) or to the same new public key if the newkey can be used for signing as well. In this way, the share revealed bythe trustee clearly proves that it way originated. Better still, theuser may sign (with the trustee's key) the encryption of the share givento a trustee, and the signature can be revealed together with the share.This approach insures that one can both be certain that what wasrevealed was a share approved by the user and also that the trustees andthe user cannot collaborate later on in changing its value.

As stated above, it may be desirable to use the fair PKC fortime-bounded eavesdropping. A more specific description of suchtechniques is now described. For the purposes of example only, thefollowing discussion presumes that the monitoring takes place over atelephone system, although of course the invention is not so limited.Currently, if no encryption is used, when a proper court order is giventhe authorities (such as the state or federal authorities) can and areis allowed to monitor the conversations of a suspected user. However, ifthis court-authorized line tapping and other investigative procedures donot show any wrongdoing, this monitoring will stop (or at least willstop being legal). This restores the privacy of theerroneously-suspected user. Thus, currently, the citizens must trust theGovernment that (1) no line-tapping is initiated with a proper courtorder, and (2) a legitimally-initiated court order is terminated whenthe court decides so. If a fair PKC is used to encrypt allcommunications, then the citizens need not trust the Government withrespect to the former point. The same guarantee does not, however, holdfor the latter consideration. In fact, once the authorities havereconstructed a user's secret key in response to a proper court order,the citizens must still trust (rather than be certain) that thereconstructed secret key will be forgotten and destroyed, so that nofurther line-tapping can continue after the Court says so. According tothe invention, fair PKC's are enhanced so that guarantee also property2, that is, by allowing time-bounded monitoring.

In one embodiment, time-bounded court-authorized eavesdropping usessecure chips (i.e., chips whose memory--or parts of it--cannot be readfrom the outside, and cannot be tampered with). One method can now bedescribed. Assume that a proper court order is issued to tap the line ofuser X from February to April. Since the messages traveling along X'sline are encrypted, the authorities will make use of a chip to decodethem. Assume that the chip is secure and capable of receiving encryptedmessages from the trustees. For instance, the chip possesses a publicencryption key PC and a corresponding secret decryption key SC. While PCmay be universally known, and is in particular known to the trustees, SCis safely stored within the chip, and actually known only to the chipitself (e.g., because it is the secure chip that has generated both PCand SC). After receiving the court order, each trustee sends a message(preferably digitally signed) to the chip consisting of the share ofuser X's secret key in his possession, after encrypting it via PC. Sincethe chip possesses SC, it easily computes all necessary shares of X'ssecret key, and thus the secret key itself. The court will also providethe chip with a (preferably signed) message consisting of, say "decode,X, February-April." (Alternatively, the time interval can be specifiedin the message of the trustees, since they learned it from the Courtanyway.) Since the chip has an internal clock, it can easily decrypt allX's messages relative to the prescribed time period. Afterwards, userX's secret key will be destroyed. Thus, to allow further line-tapping, anew court order would be required.

Time-bounded eavesdropping also can be implemented by having each userchoose different secret keys when he enters the system. This method canactually be quite practical if the court authorizes eavesdropping forconvenient time-intervals; for instance, "integral month-multiples." Inthis case, each user, at the beginning of the year (or of the decade, or. . . ) chooses 12 secret keys, SK₁, . . . , SK₁₂, together with theircorresponding public keys, PK₁, . . . , PK₁₂. Each pair of keys isassociated to a determined month--e.g., SK₁, and PK₁ are January's keys.The user then follows the procedure of a fair PKC so that each trusteereceives (and can actually verify to have received) the correct piece ofeach secret key. This only entails sending each trustee a 12 -timelonger message than before, and having each trustee perform 12-timesmore computation. But both these operations are quite simple and need tobe done only once per year (per decade, etc.). Like before, after thetrustees inform the government that they have been given theirrespective pieces for each of the months, the government approves theuser's public keys. This can be done in several ways. For instance, thegovernment can digitally sign each public key individually--e.g., foruser X and for the month of March, it will sign the triplet (X,3,PK3).Thus, though the "one-time" message that user X sends to each trusteewhen she enters the system is longer, the public key that she needs tosend to another user Y (before she can have a private conversation withhim) is as short as before. For instance, if X wants to communicate withY in March, she needs only to send Y the government signature of(X,3,K3). User Y (or his computer) will inspect that this signature isvalid and that the current month is March. If so, he will use K₃ tocommunicate to X. Thus, if the Court authorizes eavesdropping for themonths of February, March, and April, the trustees only reveal their ownpieces of the secret keys of those months. The authorities will have nohelp in understanding conversations outside this time interval.

In the pre-chosen secret key method described above, each user selectedand properly shared with the trustees as many secret keys of a PKC asthere are possible transmission "data" (in the above example, eachpossible month). Within each specified data, the same public-secret keypair was used for communicating with every other user.

It is customary to use public keys only to transmit secure session keys,which are then used to encrypt messages by means of a conventionalsingle-key system. These session keys are usually unique to the pair ofusers in question and the data of transmission. Indeed, each minute orsecond can be considered a different date, and thus there may be adifferent session key for every transmission between two users.Actually, the data, which can be sent in the clear, preferably may justbe any progressive number identifying the transmission, but notnecessarily related to physical time. Time-bounded court-authorizedmonitoring can also be achieved in this traditional setting. Inparticular, preferably session keys are chosen algorithmically (so thatthe trustees can compute each desired session key from informationreceived when users enter the system), but unpredictably (so that,though some session keys may become known--e.g., because of a givencourt order--the other session keys remain unknown). Using thisapproach, one can develop many enhanced fair PKC's, for instance basedon RSA and the Diffie-Hellman cryptosystems, so as to exploitadvantageously their algebraic structure.

By way of still further background, assume that there is a court orderto tap the conversations of user X between dates D1 and D2, and thatuser X at date D (in the specified time interval) communicates with userY. If the time-bounded fair PKC requires the police to contact thetrustees specifying the triplet (X, Y, D) in order to understand X'scommunication, the scheme might be considered somewhat impracticalbecause the police would flood the trustees with continuous requests. Animproved scheme would allow the police to contact the trustees onlyonce, specifying only X, Y, and D1 and D2, in order to understand allthe communications between X and Y at any date D in that time interval.Since, however, there may be quite a number of users Y, the trusteesstill risk of being flooded with requests from the police. A stillbetter scheme allows the police to go to the Trustees only once,specifying X D1 and D2, in order to understand all communicationsinvolving X in that time interval.

The following is an efficient solution to the last scenario (although itshould be appreciated that all of the above scenarios are within thescope of this invention and that "intermediate" solutions can be easilyderived from it). Assume that X is a user of a fair PKC F. When X wantsto initiate a secret conversation with Y at date D, she computes asecret session key SKDY and sends it to Y using F (i.e., encrypts itwith Y's public key in F). User Y then computes his secret session keySYDX and sends it to X after encrypting it with the received secret keySXDY (by means of an agreed-upon conventional cryptosystem). User X thensends SYDX to Y by encrypting it with SXDY. After this handshaking,throughout the session, X sends messages to Y conventionally encryptedwith SXDY, and Y sends messages to X via SYDX. (If anyone spots that theother disobeys the protocol the communication is automaticallyterminated, and an alarm signal may be sent to a proper place.) Thus inthis example, though X and Y will understand each other perfectly, theywill not be using a common, conventional key. Notice that if the policeknow SXDY (respectively, SYDX), it will also know SYDX (respectively,SXDY).

Assume now that the court authorizes tapping the lines of user X fromdate D1 to date D2, and that a conversation occurs at a time D in thetime interval [D1, D2] between X and Y. The idea is to make SXDYavailable to the police in a convenient manner, since knowledge of thisquantity will enable the police to understand X's out-going andin-coming messages, independently of who between X and Y initiated thecall. To make SXDY conventionally available to the Police, we will makeit easily computable on input SXD, a master secret key that X uses forcomputing his own session key at date D with every other user. Forinstance, SHDY=H(SXD,Y), where H is a secure (possibly hashing)function.

Since there may be many dates D in the desired interval, however, wemake sure that SXD is easily computable from a short string, SX[D1,D2],and that short string is itself immediately computable from some shortstring that the police receive from the trustees when they are presentedwith the court order "tap X from D1 to D2." For instance, in a3-out-of-3 case, if SXi[D1,D2] denotes the information received by thepolice from trustee i in response to the court order:

    SX[D1,D2]=H(SX1[D1,D2], SX2[D1,D2], SX3[D1,D2]),

where H is a secure (possibly hashing) function. Letting SX_(i) be thevalue originally given to trustee i by user X when she entered thesystem (i.e., X gives SXi to trustee i together with the i-th piece ofher own secret key in the fair PKC F), SXi[D1,D2] should easily dependon SXi. An effective choice of SXi, SXi[D1,D2], and SX[D1,D2], and SXDis then made. Assume that there are 2^(d) possible dates. Imagine abinary tree with 2^(d) leaves, whose nodes have n-bit identifiers--wheren=0, . . . , d. Quantity SXi[D1,D2] is computed from SXi by storing avalue at each of the nodes of the tree. The value stored at the root,node Nε (where ε is the empty word), is SX_(i). Then a secure function Gis evaluated on value SXi so as to yield two values, SXi0 and SXi1.Preferably the function is such that the value SXi is unpredictablegiven SXi0 and SXi1. (For instance, SXi is a random k-bit value and G isa secure pseudo-random number generator that, using SXi as a seed,outputs 2k bits: the first k will constitute value SXi0, the second kvalue SXi1.) Value SXi0 is then stored in the left child of the root(i.e., it is stored in node N0) and value SXi1 is stored in the rightchild of the root (node N1). The values of below nodes in the tree arecomputed using G and the value stored in their ancestor in a similarway. Let SXiD be the value stored in leaf D (where D is a n-bit date).If D1<D2 are n-bit dates, then assume that a node N controls theinterval [D1,D2] if every leaf in the tree that is a descendent of Nbelongs to [D1,D2], while no proper ancestor of N has this property.

Then, if SXi[D1,D2] consists of the (ordered) sequence of values storedin the nodes that control [D1,D2]:

1. SXi[D1,D2] is quite short (with respect to the interval [D1,D2]), and

2. For each date D in the interval [D1,D2], the value SXiD stored inleaf D is easily computable from SXi[D1,D2], and

3. The value stored at any leaf not belonging to [D1,D2] is not easilypredictable from SXi[D1,D2].

Thus, if:

    SXD=H(SX1D, SX2D, SX3D)

where H is a secure (preferably hashing) function, and each user Xchooses the values SXi's (sufficiently) randomly and (sufficiently)independently, the scheme has all the desired properties. In particular:

a. user X computes SXD very efficiently for every value of D;

b. when presented with a court order to tap the line of user X betweendates D1 and D2, each trustee i quickly computes SXi[D1,D2]. (In fact,he does not need to compute all values in the 2^(n) -node tree, but onlythose of the nodes in control [D1,D2]);

c. Having received SXi[D1,D2] from every trustee i, the police can, veryquickly and without further interaction with the trustees, compute:

SXiD from SXi[D1,D2] for every date D in the specified interval (infact, its job is even easier since the SXiD's are computed in order andintermediate results can be stored)

the master secret-session key SXD from the SXiD's, and

the session key SXDY from SXD from any user Y talking to X in thespecified time interval.

Note that both X's out-going and in-coming messages will be understoodby the police, but not message sent or received before or after thetime-interval specified by the court order will be intelligible to thepolice (unless a new proper court order is issued).

Of course, like in any fair PKC, users may not compute the session keysas above (for instance, by not using the standard equipment approved bythe Government). This is easily detectable if X's conversations do notbecome understandable after a court order has been issued and thetrustees have provided their information. Not using the right sessionkeys, however, does not enable malicious users to abuse the governmentapproved system F easily. In fact, it can be part of the protocol thatwhen it becomes evident that a given user X maliciously does not use theproper session keys, the court orders the reconstruction of user X'ssecret key in F--which is possible since F is a fair PKC. Thus, userswho maliciously tamper with the session keys can be tappedautomatically, at any date, without any additional court order.

A fair PKC has advantages even if the people who do not use them are notpunished. Fiar PKC's may be much more useful, however, if the governmentcan determine whether a given cryptogram has been generated in theprescribed fair manner without any court order. That is, it would bedesirable that the government, without understanding the messagesexchanged (even because they are not fairly generated, or because theyare fairly generated but no court order has been issued to tap the lineof a given user) can tell whether they are generated in a fair way, thatis, whether it would be capable of understanding them in case of a courtorder.

The following describes a technique for achieving this property. As willbe seen, this technique may be applied to encryption devices that may ormay not work in conjunction with a PKC or a fair PKC.

This technique again uses secure chips or other portable data carrierdevices that include protected memory. Assume that each user has asecure chip or device that implements a fair PKC or anygovernment-approved encryption algorithm. Each device will contain atleast an encryption or decryption key for communicating with otherusers. In addition it will contain another key, KG, that is known to thegovernment, but not to the user, since KG is inside the secure chip.Assume know that the user includes a terminal that commutes a message Mwhich includes a ciphertext generated according to thegovernment-approved algorithm. Prior to outputting N, the user'sterminal applies a given function H (preferable a secure hashing one) toM so as to generate H(M). Then the device outputs both M and theencryption of H(M) with KG, that is E (KG,H(M)).

Assume now that the government, without wishing to understand thecleartext contained in M, wants to determine whether M was generated inan approved manner. Then all it has to do is apply H to M, so as tocompute H(M) and then encrypt the result with KG and check whether thestring E (KG,H(M)) sent by the user's device equals the value socomputed. The user does not lose any privacy by this operation, sinceH(M) does not reveal the cleartext in M.

It should be noticed that KG need not be known to the Government, solong as the Government is assured that it pertains to aGovernment-approved device. Note further that if H itself is unknown tothe user, there is no need to encrypt(M) with KG at all. Moreover, theuser, even if she does not know H(M), need not worry about H(M) somehowcontaining a second encrypted version of the cleartext in M (which mightbe decodable by the government without any court order and without herknowledge). In fact, if H is chosen to be hashing, then H(M) is short,and no short string can possibly reveal the longer cleartext containedin M, which the user wishes to remain private.

It should be appreciated by those skilled in the art that the specificembodiments disclosed above may be readily utilized as a basis formodifying or designing other techniques and processes for carrying outthe same purposes of the present invention. It should also be realizedby those skilled in the art that such equivalent constructions do notdepart from the spirit and scope of the invention as set forth in theappended claims.

What is claimed is:
 1. A method, using a public-key cryptosystem, forenabling a predetermined entity to monitor communications of userssuspected of unlawful activities while protecting the privacy oflaw-abiding users, wherein each user is assigned a pair of matchingsecret and public keys, comprising the steps of:breaking each user'ssecret key into shares; providing trustees pieces of informationenabling the trustees to verify that the pieces of information includeshares of a secret key of some given public key; and upon apredetermined request, having the trustees reveal the shares of thesecret key of a user suspected of unlawful activity to enable the entityto attempt reconstruction of the secret key; and monitoringcommunications to the suspect user during a time period specified in thepredetermined request.
 2. The method as described in claim 1 wherein thepredetermined entity is a government agency and the predeterminedrequest is a court order.
 3. A method, using a cryptosystem, forenabling a predetermined entity to monitor communications of userssuspected of unlawful activities while protecting the privacy oflaw-abiding users, comprising the steps of:providing trustees pieces ofinformation that are guaranteed to include shares of at least a secretdecryption key; and upon a predetermined request, having the trusteesreveal the shares of the secret decryption key to enable the entity toattempt to monitor communications to the suspected user during a timeperiod specified in the predetermined request.
 4. A method, using acryptosystem, for enabling a predetermined entity to monitorcommunications of users suspected of unlawful activities whileprotecting the privacy of law-abiding users, comprising the stepsof:having trustees hold pieces of information, wherein a piece ofinformation is guaranteed to include a share of secret decryption key;and upon a predetermined request, having a given number of trustees eachreveal the piece of information that includes the share of at least onesecret decryption key to enable the entity to monitor communications tothe suspected user.
 5. The method as described in claim 4 furtherincluding the step of:characterizing the user's activities as unlawfulif the entity is unable to monitor the user's communications.
 6. Themethod as described in claim 4 wherein a given minority of trustees areunable to reconstruct the secret key.
 7. A method, using a cryptosystem,for enabling a predetermined entity to monitor communications of userssuspected of unlawful activities while protecting the privacy oflaw-abiding users, wherein one user has at least a secret decryptionkey, comprising the steps of:having trustees hold pieces of informationthat are guaranteed to include shares of a secret decryption key; andupon a predetermined request, having a given number of trustees eachreveal the piece of information that includes the share of the secretdecryption key to enable the entity to attempt to monitor communicationsto the user suspected of unlawful activities.
 8. The method as describedin claim 7 wherein upon the predetermined request all of the trusteeseach reveal the piece of information.
 9. A method for revealing a user'ssecret value .Iadd.to enable an entity to monitor suspect communicationsto the user.Iaddend., comprising the steps of:having trustees holdpieces of information, .Iadd.trustees being distinct from the entity,.Iaddend.wherein a piece of information includes a share of .Iadd.the.Iaddend.secret value; .[.and .]. upon a predetermined request, having agiven number of trustees each reveal the piece of information thatincludes the share of the secret value to enable the entity toreconstruct the secret value at a prescribed time specified in thepredetermined request .Iadd.and thereby monitor said suspectcommunications without compromising the privacy of the other users'communications.Iaddend..
 10. A method, using a cryptosystem, forenabling a predetermined entity to monitor communications of userssuspected of unlawful activities while protecting the privacy oflaw-abiding users, comprising the steps of:having trustees hold piecesof information that are guaranteed to include shares of a secretdecryption key; upon a predetermined request, having the trustees sendinformation to a secure device having its own internal clock; and usingthe secure device to enable the entity to monitor communications to asuspect user for an amount of time as specified in the predeterminedrequest.
 11. A method, using a cryptosystem, for enabling apredetermined entity to verify that a user is sending messages encryptedby means of a secure device implementing the given cryptosystem, whereinthe secure device contains a secret key known to the entity, comprisingthe steps of:having the secure device use the given cryptosystem togenerate a first string, the first string being an encryption of amessage; having the secure device use the secret key to generate asecond string that guarantees to the entity that the first string wasgenerated with the given cryptosystem.
 12. A method, using acryptosystem, for enabling a predetermined entity to confirm that usersof a system exchange messages encrypted according to a predeterminedalgorithm, comprising the steps of:providing each user in the systemwith a secure chip containing at least one secret key unknown to theuser; and having the user send encrypted messages using the secure chip;and with each encrypted message sent by a user, having the secure chipalso send a data string, computed using the secret key, to guarantee theentity that the encrypted message was generated by the secure chip usingthe predetermined algorithm.
 13. The method as described in claim 12further including the steps of:providing trustees with pieces ofinformation including shares of a secret key; and upon a predeterminedrequest, having a given number of trustees .[.send informationincluding.]. .Iadd.reveal their .Iaddend.shares of the secret key toallow the entity to monitor communications to a suspect user. .Iadd.14.A method, using a public-key cryptosystem, for enabling a predeterminedentity to monitor communications of users, wherein each user is assigneda pair of matching secret and public keys, comprising the steps of:breaking each user's secret key into shares; providing trustees piecesof information enabling the trustees to verify that the pieces ofinformation include shares of a secret key of some given public key;upon a predetermined request, having the trustees reveal the shares ofthe secret key of a user to enable the entity to attempt reconstructionof the secret key; and monitoring communications to the user during atime period specified in the predetermined request..Iaddend..Iadd.15.The method of claim 14, for monitoring communications of certain userswhile protecting the privacy of other users..Iaddend..Iadd.16. A method,using a cryptosystem, for enabling a predetermined entity to monitorcommunications of users, comprising the steps of:providing trusteespieces of information that are guaranteed to include shares of at leasta secret decryption key; and upon a predetermined request, having thetrustees reveal the share of the secret decryption key to enable theentity to attempt to monitor communications to the user during a timeperiod specified in the predetermined request..Iaddend..Iadd.17. Themethod of claim 16, for monitoring communications of certain users whileprotecting the privacy of other users..Iaddend..Iadd.18. A method, usinga cryptosystem, for enabling a predetermined entity to monitorcommunications of users, comprising the steps of: having trustees holdpieces of information, wherein a piece of information is guaranteed toinclude a share of a secret decryption key; and upon a predeterminedrequest, having a given number of trustees each reveal the piece ofinformation that includes the share of at least one secret decryptionkey to enable the entity to monitor communications to theuser..Iaddend..Iadd.19. The method of claim 18, for monitoringcommunications of certain users while protecting the privacy of otherusers..Iaddend..Iadd.20. A method, using a cryptosystem, for enabling apredetermined entity to monitor communications of users, wherein oneuser has at least a secret decryption key, comprising the stepsof:having trustees hold pieces of information that are guaranteed toinclude shares of a secret decryption key; and upon a predeterminedrequest having a given number of trustees each reveal the piece ofinformation that includes the share of the secret decryption key toenable the entity to attempt to monitor communications to theuser..Iaddend..Iadd.21. The method of claim 20, for monitoringcommunications of certain users while protecting the privacy of otherusers..Iaddend..Iadd.22. A method, using a cryptosystem, for enabling apredetermined entity to monitor communications of users, comprising thesteps of: having trustees hold pieces of information that are guaranteedto include shares of a secret decryption key; upon a predeterminedrequest, having the trustees send information to a secure device havingits own internal clock; and using the secure device to enable the entityto monitor communications to a user for an amount of time as specifiedin the predetermined request..Iaddend..Iadd.23. The method of claim 22,for monitoring communications of certain users while protecting theprivacy of other users..Iaddend.